Infographic: 6 emerging trends in security

Download this infographic to discover 6 emerging trends in security that cybersecurity pros - and their employers - need to prep for in the next year. These ideas are taken from a keynote by analyst Peter Firstbrook at Gartner Symposium 2018.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

"The problem is pervasive, but failure to deal with it is due to some pretty basic failings, such as organisations not knowing all their suppliers," said Drew Wilkinson, senior associate and cyber risk expert at Booz Allen Hamilton.

Many organisations do not know which third-party supplier contracts are active, what information suppliers have access to and what the most critical data assets are, he told Computer Weekly.

"Organisations should spend time securing the most valuable data and knowing who has access to it," said Wilkinson.

Monitoring third parties

Beyond that, he said, few organisations are managing third-party and supply chain cyber risks on a regular and ongoing basis.

"A lot of effort is put into setting up the initial relationship, but organisations typically select a supplier that is low-risk to begin with and there is no provision for monitoring how or if that changes," he said.

Wilkinson said organisations need to recognise a lot can change after a supplier is first selected, which means low-risk suppliers can become high-risk over time.

"This is not a back-office operation that can be set once and work well for the next five years -- you have to continually re-evaluate and re-assess as things change," he said.

According to a Booz Allen Hamilton report, the majority of third-party risk incidents at an organisation are likely to occur in an existing relationship.

These existing relationships are often under-managed due to poorly understood key risk indicators, difficulty in obtaining relevant and timely information and limited relationship manager dedication or training, the report states.

As part of a continuous monitoring process, organisations should question whether a supplier is still the best choice available, whether a supplier's performance is meeting expectations, whether cyber controls been as effective as originally assessed and whether changes in the organisation's operations or external regulations have created new requirements.

"Make security controls a requirement for suppliers that have access to highly sensitive information and require them to adhere to the same data handling processes and procedures as the organisation," said Wilkinson.

However, Wilkinson emphasised the same requirements should apply to all suppliers, citing an example of a financial services firm that had excluded legal services from its general procurement process in the interests of saving time.

"But because this was not part of the general procurement process, contracts with legal firms were not subjected to any of the company's standard cyber security reviews, which is extremely risky considering the sensitive nature of company data normally handled by legal firms," he said.

Typically, companies struggle to obtain the information they need and translate that into risk decisions aligned with corporate risk appetite.

However, according to Wilkinson, it is possible to mitigate cyber and other risks from suppliers by making third-party risk management an integrated function of the business.

Collaborate against risk

In addition to ensuring that the same diligence performed at the time of hiring a supplier is continued on a regular basis, there are several ways of mitigating third-party risk.

First, organisations need to follow the hackers' example and work collaboratively to share information about risks internally with other departments and externally with industry peers.

"Attempting to hide information breaches by not talking about incidents is likely to make the same thing happen again," said Wilkinson.

"Sharing information about attack methods can help whole industries be better at avoiding, detecting and responding to cyber threats," he said.

Next, orgnisations can improve their assessment process by incorporating historical performance from an independent source, rather than relying on supplier self-assessments of things such as data security controls.

Continuous external data feeds can reduce the difficulty and cost of acquiring meaningful data and allow relationship owners to make operating decisions while knowing the risk consequences, according to the Booz Allen Hamilton report.

Risk management

Wilkinson said other common challenges include the tendency of organisations to focus on process compliance instead of risk management, a poor understanding of inherent risk due to limited resources to monitor and manage risk and a failure to recognise that risk management can only be as good as the organisation's ability to operate it.

"Companies often make significant investments in a risk methodology and supporting process that is not sustainable or even operable. The emphasis is on designing the process rather than operational efficiency.

"It is important to consider who will perform assessments, the related operating budget and the acceptable performance standards, such as assessment cycle time, into the methodology and process design," he said.

Just as automakers started treating their suppliers as being integral to the business, Wilkinson said other industries need to ramp up the trend of treating suppliers as part of their own organisation or an extension of the team and involving them in processes from the design stage.

"We are seeing this mainly in the financial sector, but also in the retail, life sciences, pharmaceutical and energy sectors as organisations begin to understand the value of their data," he said.

Insightful technology

Finally, Wilkinson advises organisations to use technology to their advantage to provide the right information at the right time so risk owners can apply their limited time to making decisions, rather than performing research or other administrative tasks.

According to the Booz Allen Hamilton report, organisations can use open-source technology with learning algorithms to identify discreet supplier risk events from across the internet and social media.

These risk events can be categorised by risk type, tracked over time and summarised in a simple review for risk owners to take decisive actions, the report said.

Big data analytics can also be used to tackle the challenge of aggregating information from multiple sources, risk domains or business units into an enterprise level view of risk by finding commonality between disparate sources without "cleaning" or normalising all the source data, saving significant time and cost, the report said.

Educating users about risk

Wilkinson believes many organisations still have a long way to go in understanding that the world is changing and information security is becoming increasingly important.

"Twenty years ago, there was no training on how to protect data and there was no need for a chief information security officer. But people are becoming more educated on this issue and education is one of the things that will help prevent third-party cyber risk in the future," he said.

The problem, he said, is that even where there are groups of people in organisations who understand the threats and set the policies, it is left up to users to execute those policies.

"Users do not always understand the dynamics of threats that are changing all the time or what information might be valuable to attackers," he said.

Wilkinson believes information security risks need to be understood by everyone in an organisation so users, including those who are managing third-party supplier contracts, can become an effective first line of defence.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

This is most timely because the non-availability of insurance to cover third party risk (for reasons which the Ashley Maddison hack have made all too apparent) https://www.computerweekly.com/blogs/when-it-meets-politics/2015/08/the-ashley-maddison-hack-illus.html

The UK equivalent of the ISAACs are the WARPs https://www.warp.gov.uk/about-us/